Enigform News :)

Thanks for all the good work, Buanzo! I've been trying to read up on the details of enigform, and in particular, i was hoping to review the proposed RFC. I found several links to what appears to be a placeholder page, but no copy of the RFC to read and/or comment on.

(btw, i'm on ietf-openpgp these days, but i unfortunately joined that list too late to participate in the initial discussion of your brainchild -- sorry to have missed it!)

Kyle Huff, the original implementator of gpgAuth, is here on my pidgin Buddy list. I know for a fact that he's quite busy (he became a parent a little while ago). I didn't still contact the FireGPG guys (Oh boy, I love it!).

Why, you might ask? Simple: you ask for the RFC. The RFC is non existant now. I had a quite nice draft, which I dismissed in favor of more active 'hands on' research. I never mentioned this publicly, but the amount of research and issues I found while coding for Apache and Mozilla led me to first consider a working 'reference implementation', then write an RFC when I finally reach a certain level of functionality. Also, as Enigform is developed in the arms of OWASP (www.owasp.org, the Open Web Application Security Project) I have a big bunch of people behind me, finding bugs and protocol issues, doing security testing, etc.

This first Beta release, along with the Wordpress plugin, is the first REAL step to get community feedback.

I want, of course, to be in touch with FireGPG, Enigmail (BTW, the name Enigform is an obvious tribute to Enigmail), GnuPG (Werner Koch is actually quite up-to-date with Enigform). But the truth is that I'd be ashamed right now. I'm working on improving the code, protocol, and everything, but I don't feel up to the level of those guys

Thanks for the feedback. I can understand not feeling ready, but enigform is out and published already -- people are downloading it and using it! Having a published spec (even if it just represents the currently accepted best practice) is useful for interoperability as well as for security audits to help make sure you're on the right track.

I looked around at the OWASP page for this project, but still couldn't find anything that resembles a specification of what exactly is happening. I can read the source, of course, but i'd like to understand what the goals and procedures of the protocol are, as opposed to what the current code implements at a byte-for-byte level.

At any rate, reviewing the protocol specification is a different task than reviewing an implementation, no? Would you be up for sending me a draft of what you're working on, even if you want to keep it under wraps at the moment? I'm really interested in seeing OpenPGP be more widely useful to more people, but i want to make sure that the protocols themselves are secure (and to help secure them if they're not)!

Also, I reviewed all your concerns on gpgAuth. For instance, http replay-attacks ARE taken into consideration. I know a signed http request can be replayed... but one that belongs to a current session is not so easily replayable, either. Also, the secure session initiation protocol (BARELY mentioned here... http://wiki.buanzo.org/index.php?n=ModO ... nformation ) signs responses during the challenge-response mechanism. I still have to enhance this. I'm working on implementing the ability to import a server's public key as published according to the 'CERT' DNS Resource Record (RFC 4398 by Simon Josefsson, http://josefsson.org/rfc2538bis/rfc4398.txt). But, you know, the Mozilla api does not have a nice DNS library... just one to get A records

SO, well, yes, I think we can work together. I find some of your other attack scenarios quite interesting, and I'd like to continue this off-forum for the time being.